[Snort-users] Simple FTP login request rule - just not so simple to me!

Matt Kettler mkettler at ...4108...
Thu Apr 1 15:53:01 EST 2004

At 03:41 PM 4/1/2004, JPP wrote:
>Anyone have a rule to capture and alert on FTP login requests ONLY?
>The rules we currently have capture either all FTP's inbound and generate 
>a lot of entries at times, and the standard rules in ftp.rules which to 
>this point have generated none.
>A rule I have tried (in several variations) goes something like:
>alert tcp any any -> $HOME_NET 21 (msg:"FTP Password/Login attempt" \
>    flow:to_server,established; content:"Password"; nocase;)
>I fooled around with the wording,
>added content:"USER"; nocase;
>added content:"ogin"; nocase;
>and still not a single hit when I log onto a server. I SEE Password: when 
>I log in manually so obviously something in my logic or my general 
>understanding of rules is lacking.
>Any wise rule writers out there that can assist would be greatly appreciated!

Your head is turned around looking backwards... :)

All those strings don't go to the server... they come _from_ the server and 
go to the client.. so of course your rule isn't firing..

Re-write your rule's sense of direction using something like this instead:

alert tcp $HOME_NET 21  -> any any  (msg:"FTP Password/Login prompt outbound" \
    flow:from_server,established; content:"Password"; nocase;)  

More information about the Snort-users mailing list